eBook - ePub

Data Protection and Compliance in Context

Name: Data Protection and Compliance in Context
Author: Stewart Room

Stewart Room

Share book

304 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Data Protection and Compliance in Context

Stewart Room

Book details

Book preview

Table of contents

Citations

About This Book

This practical book provides a comprehensive tool to guide individuals through the jungle of data protection legislation that influences businesses and personal lives. The main aim of data protection legislation is the achievement of balance between the interests of the individual against the power of the information age. But many of these legal requirements conflict with the natural uses of IT. Written for those with little or no knowledge of the law, this accessible book approaches data protection from three angles: the context in which data protection should be viewed, the content of data protection laws, and data protection from the compliance perspective. This is a trustworthy guide to data protection law, ideal for IT professionals, data protection officers, and all businesses.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Data Protection and Compliance in Context an online PDF/ePUB?

Yes, you can access Data Protection and Compliance in Context by Stewart Room in PDF and/or ePUB format, as well as other popular books in Diritto & Diritto in ambito scientifico e tecnologico. We have over one million books available in our catalogue for you to explore.

Information

Publisher

British Computer Society

Year

2006

ISBN

9781780170114

Edition

Topic

Diritto

Subtopic

Diritto in ambito scientifico e tecnologico

1 Introduction to Data Protection

Data protection is a topic of global importance. Data protection laws can be found in all the major industrialized nations, they are being developed for developing nations and they are the focus of significant intergovernmental cooperation. International organizations, such as the United Nations,¹ the Organisation for Economic Co-operation and Development,² the Council of Europe and the European Community (EC), have invested heavily in data protection, issuing guidance and laws that are remarkably consistent in terms of their aims, objectives and requirements.

DATA PROTECTION IN THE UK – THE DATA PROTECTION ACT 1998

In the UK the framework piece of legislation is the Data Protection Act 1998, or ‘DPA’ for short. The DPA repealed and replaced its predecessor, the Data Protection Act 1984, in order to give effect to the requirements of the EC Data Protection Directive 1995. The DPA also gives effect to the requirements of the Council of Europe’s Data Protection Convention 1981. The DPA is supplemented and supported by many other pieces of legislation, which will be introduced at appropriate places.

The DPA describes itself as being an Act that makes ‘new provision for the regulation of the processing of information relating to individuals’. This statement is worth thinking about, for it has massive ramifications. Putting it simply, the processing of information relating to individuals is something that we all do. Every government body processes information relating to individuals, as does every public authority, every business and every person with a PC.

Processing personal data – information relating to data subjects

However, it is only the processing of information relating to identifiable living individuals that is regulated by the DPA. The DPA does not regulate the processing of information relating to unidentified or unidentifiable living individuals, or the processing of information relating to the deceased or the processing of information relating to companies, non-incorporated organizations (such as clubs and societies), public authorities, charities or similar bodies. Information relating to identifiable living individuals is known as ‘personal data’ and the people whose personal data are processed are known as ‘data subjects’.

Automated and manual processing by data controllers and data processors

The Act regulates both automated processing of personal data, that is, processing done by computers, and limited kinds of manual processing of personal data, but only where the processing is performed by ‘data controllers’ and ‘data processors’. The data controller, who is characterized by having the power to determine the purpose of the processing or the manner of the processing, carries most of the obligations under the DPA. A data processor processes personal data on behalf of a data controller, but is not an employee (for the purposes of the DPA employees of data controllers form part of the data controller). The data controller is ultimately responsible for ensuring that the data processor’s activities are compliant with the DPA.

The concept of processing

The concept of processing is extremely wide, covering every conceivable act that can be done on or towards personal data, from its initial collection right through to its final deletion or destruction. Acts of processing include organization, adaptation or alteration of data, retrieval, consultation or use of data, disclosure of data by transmission and dissemination and the alignment, combination, blocking, erasure or destruction of data.

Summary – the key things to remember

A person who is interested in data protection should remember the following things:

Data protection laws regulate the processing of personal data by data controllers and data processors. The DPA also concerns ‘third parties’ and ‘recipients’. A third party is anyone other than the data controller, the data subject or the data processor and can include legal persons, such as companies, as well as individuals. A recipient is any person to whom personal data are disclosed in the course of processing done by or on behalf of the data controller, apart from persons who receive personal data as a result of a particular inquiry made in exercise of legal powers, such as the Information Commissioner or the police.
The fairness, lawfulness and legitimacy of data processing are bench-marked against the ‘data protection principles’. There are eight data protection principles in the DPA.
The Information Commissioner is the UK’s supervisory authority, responsible for promoting the following of good practice by data controllers and for enforcing compliance with the DPA.
Personal data is information relating to living individuals and includes opinions about living individuals and indications of the data controller’s intentions towards living individuals.
Within Europe, the most important laws are the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Data Protection Convention³ and the Data Protection Directive.⁴
Within Europe, the main law-making bodies are the Council of Europe, the EC, the Article 29 Working Party, the national governments, the national supervisory authorities and the courts.
The aims of data protection laws are twofold: they protect privacy and they support the free flow of personal data between data controllers and between countries.
The DPA replaced and repealed the Data Protection Act 1984, in order to give effect to the requirements of the Data Protection Directive 1995. The DPA also gives effect to the requirements of the Data Protection Convention 1981.

OVERVIEW AND HISTORY OF DATA PROTECTION LAWS

The DPA forms part of a comprehensive and harmonized European legal framework for the regulation of the processing of personal data. This framework is a consequence of work done by the Council of Europe and the EC. Of course, data protection laws can be found outside of Europe too.

The two principal aims of data protection laws

Wherever they are found, data protection laws have two principal aims. These are:

The protection of privacy during the processing of personal data.
The maintenance of free flows of personal data between countries.
This requires the elimination of obstacles to the free flow of personal data between countries that are based solely on the protection of privacy.

These dual aims certainly appear to be in conflict (privacy of personal information v. the free flow of it), but data protection laws have to deal with the realities of modern life, which include the fact that free flows of personal information are vital to the economy and to the effective performance of public functions, hence they must be maintained. Maintaining free flows of personal data obviously interferes with personal privacy, so the law compensates for the interference by requiring a high level of protection for the privacy of personal data undergoing processing. The high level of protection is that prescribed by data protection laws themselves, which put in place strong mechanisms to prevent unfair or unlawful processing. Ensuring a high level of protection for the privacy of personal data that is undergoing processing is a prerequisite to the continuance of free flows of personal data.

Putting the same point differently, the law will allow a person to transfer data to another person or to another country provided that the transferor meets the minimum standards prescribed by the law.

Laws in Europe should be in harmony – the reason for Council of Europe and EC activity

The Council of Europe and the EC are the two organizations responsible for the development of data protection laws in Europe. These organizations are separate and distinct. The Council of Europe, founded in 1949, is essentially a human rights organization consisting of 46 European Member States. The other organization, the EC, started life as the European Economic Community in 1957 and it currently has 25 Member States. The UK, like all other EC Member States, is a member of both organizations and the DPA gives effect to the requirements of the data protection laws of both organizations, namely the Data Protection Convention and the Data Protection Directive.

The Council of Europe and the EC have taken the lead in the development of data protection laws within Europe due to the fact that European governments recognize that there need to be harmonized data protection laws across Europe in order to achieve the two principal aims of data protection, namely the protection of privacy and the maintenance of free flows of personal data.

The need for harmonization of laws is explained by the fact that a key theory within data protection laws is that differences in the levels of protection for privacy offered by national laws can cause obstacles to the free flow of personal data between countries, that is, a country with a high level of protection for privacy could impede the flow of personal data to a country with weaker protection. The harmonization of laws addresses this problem, because where laws are harmonized the scope for differences between countries on fundamental issues is removed.

It would be a mistake to fall into the trap of thinking that the harmonization process requires the national laws of the countries within the area of harmonization to be exactly the same. Harmonization is not meant to achieve exactness in the laws of each participating country. In fact, despite harmonization, participating countries have a wide margin for manoeuvre, with the result that differences in national laws are still being detected. For instance, penalties for breach of data protection laws differ from country to country.

The protection of privacy

Privacy is a very wide concept. It includes the private space (such as the home), private items (such as letters and photographs), private relationships (such as sexual relationships) and private information (such as information about people).

The right to respect for personal privacy is a recognized human right. Within Europe the principal human rights law is the European Convention for the Protection of Human Rights and Fundamental Freedoms of 1950 (or the ‘ECHR’ for short). The ECHR has been incorporated into UK law by the Human Rights Act 1998.

Article 8 of the ECHR protects the right to privacy and provides the founding principles upon which European data protection laws are built. It says:

1) Everyone has the right to respect for his private and family life, his home and his correspondence.

2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

It often comes as a surprise to learn that neither the DPA, nor the Data Protection Convention or the Data Protection Directive have tried to define the meaning of the word privacy. Thus, we need to look elsewhere for a definition.

Concepts within privacy – informational and substantive privacy

One early definition of privacy that still holds well is that it is a ‘right to be let alone’.⁵ This definition is supported by two newer concepts, ‘substantive privacy’ and ‘informational privacy’. The theory behind substantive privacy is that people should be free to make substantive decisions about how they lead their lives, free from interference by the State or by others. The theory behind informational privacy is that people should be able to control the flow of information about them. These two concepts are interconnected and a state of informational privacy is often a prerequisite to enjoyment of substantive privacy.

To illustrate, imagine a country passing a law to ban the practice of a particular religion. Such a ban interferes with substantive privacy, that is, the freedom of individuals to choose to practice the religion. The State’s interference with substantive privacy will not be enough to completely eradicate the religion, however, as devotees will practice in private, out of view of the State. If the State really wants to eradicate the religion, it will also need to identify who is practising the religion, which means interfering with informational privacy.

Privacy versus other rights and interests

The right to privacy is not an ...